From 626f74ed2bfb94636e7245d0a76e48a98164e503 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Mon, 29 Dec 2025 04:58:49 -0500
Subject: [PATCH] Fix service cluster ip range.

Kubernetes only allows a /112 for service ip range.
---
 nix/kubernetes/keys/package/k8s-ca/files/ca.conf         | 1 +
 nix/kubernetes/roles/kube_apiserver/default.nix          | 2 +-
 nix/kubernetes/roles/kube_controller_manager/default.nix | 3 ++-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/nix/kubernetes/keys/package/k8s-ca/files/ca.conf b/nix/kubernetes/keys/package/k8s-ca/files/ca.conf
index b26ddbf4..8893f9dd 100644
--- a/nix/kubernetes/keys/package/k8s-ca/files/ca.conf
+++ b/nix/kubernetes/keys/package/k8s-ca/files/ca.conf
@@ -279,6 +279,7 @@ IP.10  = 10.215.1.225
 IP.11  = 2620:11f:7001:7:ffff:ffff:0ad7:01e1
 IP.12  = 10.215.1.226
 IP.13  = 2620:11f:7001:7:ffff:ffff:0ad7:01e2
+IP.14  = fd00:3e42:e349::1
 DNS.0 = kubernetes
 DNS.1 = kubernetes.default
 DNS.2 = kubernetes.default.svc
diff --git a/nix/kubernetes/roles/kube_apiserver/default.nix b/nix/kubernetes/roles/kube_apiserver/default.nix
index 4bd798e5..8cf4fb97 100644
--- a/nix/kubernetes/roles/kube_apiserver/default.nix
+++ b/nix/kubernetes/roles/kube_apiserver/default.nix
@@ -84,7 +84,7 @@ in
             "--tls-cert-file=/.persist/keys/kube/kube-api-server.crt"
             "--tls-private-key-file=/.persist/keys/kube/kube-api-server.key"
             "--tls-min-version=VersionTLS13"
-            "--service-cluster-ip-range=fd00:3e42:e349::/48"
+            "--service-cluster-ip-range=fd00:3e42:e349::/112"
             "--v=2"
 
             # OLD:
diff --git a/nix/kubernetes/roles/kube_controller_manager/default.nix b/nix/kubernetes/roles/kube_controller_manager/default.nix
index 40ac4867..282d0a5b 100644
--- a/nix/kubernetes/roles/kube_controller_manager/default.nix
+++ b/nix/kubernetes/roles/kube_controller_manager/default.nix
@@ -39,6 +39,7 @@ in
             "--bind-address=0.0.0.0"
             # "--cluster-cidr=10.200.0.0/16"
             # "--cluster-cidr=2620:11f:7001:7:ffff:ffff:0ac8:0000/16"
+            "--allocate-node-cidrs=true"
             "--cluster-cidr=fd49:0595:2bba::/48"
             "--cluster-name=kubernetes"
             "--cluster-signing-cert-file=/.persist/keys/kube/ca.crt"
@@ -48,7 +49,7 @@ in
             "--service-account-private-key-file=/.persist/keys/kube/service-accounts.key"
             # "--service-cluster-ip-range=10.197.0.0/16"
             # "--service-cluster-ip-range=2620:11f:7001:7:ffff:ffff:0ac5:0000/16"
-            "--service-cluster-ip-range=fd00:3e42:e349::/48"
+            "--service-cluster-ip-range=fd00:3e42:e349::/112"
             "--use-service-account-credentials=true"
             "--v=2"
           ]